Server Security

As part of the School of Medicine Security Initiative, we need accurate information about all devices that store Stanford data. This includes both "endpoint" devices (laptops, desktops, mobile devices) and now, servers.

There's now a project to inventory the servers on campus: SUSI (Stanford University System Inventory). It's important to complete the inventory step as part of the process of securing a server. If you are the listed user or administrator for a server (whether it's located in the Stanford Data Center or not), you must create a new record for it in SUSI. (Please fill out a separate record for each individual server.)

Overview

All servers on campus must conform to School of Medicine minimum security standards, whether hosted by IRT or otherwise. If you are running a server that is not physically located in the data center, you will need to make sure that you're following Stanford policies about keeping the data properly secured. You may also choose to have a server moved to the data center and hosted or managed by IRT. Wherever it's physically located, you want to make sure that it's correctly configured for good security.

Data Classification: High, Moderate, and Low Risk

A first priority in the planning and management of a server is what kind of Stanford data it's going to be storing: High Risk, Moderate Risk, and Low Risk.

Visit the University IT Risk Classifications page for a handy chart outlining the details of each classification of information. It also has examples of servers and applications that may be classified High, Moderate, or Low Risk, based on the kinds of information they deal with. The University IT Minimum Security Standards describe compliance for Endpoints, Servers and Applications depending on risk categorization. The standards for any device which may access or store High Risk data are more rigorous than those that do not.

All servers on campus must meet the minimum security standards for the correct risk classification.

Protect traffic coming in AND going out (ingress and egress protection); it can stop both incoming and outgoing attacks even when you're not aware of it.

Keep track of what ports are open and why.

Know how to block and unblock an IP.

Control Access to Server:

Remove, disable or change passwords to default accounts.

All passwords should be strong passwords; they should also be unique, and changed periodically.

Disable "guest" accounts/access.

For data center-hosted servers, all administrative accounts must be SUNet ID accounts.

Review user accounts quarterly and remove inactive accounts.

Keep a complete list of everyone who has access to the server, and make sure you know who has which read/write privileges.

No open file-sharing is allowed.

All remote access should be restricted to specific IP addresses, and encrypted from end to end (via VPN).

Review Processes and Remove Extra Software

Know everything that runs on the server, why, and which users have access.

Disable any and all unused services.

Install anti-virus software and make sure it stays current, is running actively, and is generating logs.

Lock /tmp, /var/tmp, and /dev/shm partitions (linux/Unix)

Since /tmp, /var/tmp and /dev/shm are world writable directories, if left unlocked anyone can read/write/execute anything from these directories and it becomes a major security concern.

With /etc/fstab you can limit what can be done in these partitions: if you see 'defaults' beside the /tmp line, remove it and replace it with 'noexec,nosuid'. This will stop any executables from being allowed to run.

Do the same for /dev/shm and make /var/tmp a shortcut (symbolic link) to /tmp.

Lock down Your Software: PHP, Apache, etc.

Lock down all applications per the vendor's best practices.

Use change management and version control procedures for all your software; document all changes to applications and archive previous versions, just in case.

Monitor your Server's Performance

Keep regular track of the server's normal running speed and bandwidth usage, so you can spot abnormalities.

Include security as a design requirement of your applications. Review all code and correct identified security flaws before deployment. Use of static code analysis tools recommended.

Back Up Your Data

Make regular (at least weekly) encrypted backups of all data; make sure onsite AND offsite backups are kept in a physically secure environment.

Extra Requirements for High Risk:

Dedicated Admin Workstation

Access administrative accounts only via a Privileged Access Workstation (PAW). This workstation should be dedicated for administrative access to High Risk servers and cannot be used for the same activities as a standard endpoint. Please see the UIT site on Privileged Access Workstations for additional information on PAWs.

DBG Review

Request a Data Risk Assessment of your data and server needs, and implement recommendations before deployment of any application or server that will access or store High Risk data.

Regulated Data Security Controls

Data is considered High Risk if it is required by law to be protected. Implement PCI DSS, HIPAA, or export controls as applicable.

IRT Server Hosting

If you've determined that a server should be located in the data center, contact IRT Security. Someone will arrange a time to sit down with you, go through a security questionnaire and assessment, and help you with the server move. For more information about IRT's hosting and system administration requirements and services, visit the IRT Data Center Services page.